[syslog-ng] one more sshd rule
Peter Czanik
czanik at balabit.hu
Wed Sep 29 11:34:49 CEST 2010
On 09/29/2010 10:57 AM, Balazs Scheidler wrote:
> Hi,
>
> Are you sure that in this case sshd will not emit the already covered
> messages?
>
> Because if it does, then we'd be generating two login failures to a
> single message.
>
> I remember selecting only one of the failure messages, only the one
> which contained the most information.
>
> If this is the case, then this one should only be marked up for
> logcheck-style classification to mark that it's known and no name-value
> pairs or tags.
>
> If this is not the case, then that's a different matter that needs
> handling probably with the new correllation framework.
>
I found this message on openSUSE, and no other related messages were in
the log. So, in my case it was the only log about the login failure.
Bye,
CzP
> On Thu, 2010-09-23 at 14:11 +0200, Peter Czanik wrote:
>
>> Hello,
>>
>> While checking my logs with pdbtool, I ran into this log message:
>>
>> Sep 23 13:10:03 linux-6y8u sshd[21420]: error: PAM: Authentication
>> failure for root from 192.168.2.52
>>
>> The attached rule seems to find it correctly:
>>
>> HOST=linux-6y8u
>> MESSAGE=error: PAM: Authentication failure for root from 192.168.2.52
>> PROGRAM=sshd
>> PID=21420
>> LEGACY_MSGHDR=sshd[21420]:
>> .classifier.class=system
>> .classifier.rule_id=55ec76e0-c709-11df-b62d-000c298c9ba2
>> usracct.username=root
>> usracct.device=192.168.2.52
>> usracct.type=login
>> usracct.sessionid=21420
>> usracct.application=sshd
>> secevt.verdict=REJECT
>>
>> Bye,
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
--
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
More information about the syslog-ng
mailing list